empirical data on IT Security breaches is hard to come by despite laws like
California SB1386.
there is much to be learned from Verizon Business’s April 2009 Data Breach
Investigations Report

The specific issue I would like to highlight now is the
section on methods by which the investigated breaches were discovered (Discovery
Methods, page 37). 83% were discovered by third parties or non-security employees
going about their normal business. Only 6% were found by event monitoring or
log analysis. Routine internal or external audit combined came in at a rousing

These numbers are truly shocking considering the amount
of money that has been spent on Intrusion Detection systems, Log Management
systems, and Security Information and Event Management systems. Actually, the
Verizon team concludes that many breached organizations did not invest sufficiently
in detection controls. Based on my experience, I agree.

Given a limited security budget there needs to be a balance
between prevention, detection, and response. I don’t think anyone would argue against
this in theory. But obviously, in practice, it’s not happening. Too
often I have seen too much focus on prevention to the detriment of detection
and response.

In addition, these
numbers point to the difficulties in deploying viable detection controls, as there
were a significant number of organizations that had purchased detection
controls but had not put them into production. Again, I have seen this myself
as most of the tools are too difficult to manage and it’s difficult to implement
effective processes.

30. July 2009 · Comments Off on Theory vs. Practice · Categories: Theory vs. Practice · Tags: , , , , ,

Here is a quotation regarding theory vs. practice that resonates repeatedly in my
day-to-day activities. It sums up an important
lesson I have learned over the years.

“In theory, there is no difference between
theory and practice. But in practice, there is."

I’ve done some research on this and I am fairly convinced
it should be attributed to Jan L. A. van de Snepscheut, although there are some
who believe it was first said by Yogi Berra. Some links to lists of pithy quotes that include
this one are here, here, here, and here. And a brief Wikipedia biography of Snepscheut is here.